Method and arrangement for securing a man-machine dialogue

ABSTRACT

The invention relates to a method and arrangement for securing a man-machine dialogue between a user and at least one application, which may be executed on a terminal, whereby a communication between user and application is achieved by means of input channels and output channels on the terminal. According to the invention, the user can be given the security that he is ON communicating with only one particular application, whereby the input channels and/or the output channels of the terminal, together or separately, may be optionally switched by means of a switching device such that only the particular application is available

[0001] The invention relates to a process and arrangement for securing aman-machine dialogue according to the generic concept of the independentpatent claims.

[0002] A man-machine dialogue of this type is performed in digitalsignature procedures, for example. Digital signatures have anapplication everywhere that the authenticity and integrity of electronicdocuments are involved, for example in the areas of electronic commerce,e.g. e-commerce, banking, brokerage, etc. or in the area of public law,e.g. notarial authentication. In order to perform a digital signatureprocedure, a suitable end-device is required, e.g. a special terminal ora personal computer, with which a dialogue is possible between a userand at least one application that can be performed on a terminal,whereby a communication between user and application is done via inputchannels and output channels of the terminal. Also, the modem terminalsused in mobile telephone service essentially meet all of theprerequisites for digital signature procedures. They are equipped withalphanumeric display and keypads and implicitly have a chip card reader.

[0003] In order to perform a digital signature, the document to besigned is sent via a suitable transmission path, e.g. in mobiletelephone service via the mobile telephone network, from a requestingunit, e.g. a server, to a suitable terminal and/or to a signing devicein the terminal or on the chip card. The terminal and/or the signingdevice in the terminal or on the chip card bring the document to besigned onto the display of the terminal so that it is displayed andprompt the user to initiate the signing operation by the keypad. Forauthentification, the signing device requires the user to enter asignature-PIN on the keypad. After the input of the correctsignature-PIN, the signing device carries out the signature and sends itwith the document back to the signature-requesting unit. It is alsoconceivable that the signing device (and/or the terminal) ensures theauthenticity of the user by biometric processes, e.g. finger prints,speech input, etc.

[0004] Since the signature-dialogue, i.e. the display of the document tobe signed, the prompting for confirmation, prompting for input of thesignature-PIN is imbedded in a superordinate application-specificdialogue, which comes from and/or is controlled by another source suchas a WML-deck, i.e. not the signing device, and since in addition thereare several sources for outputting on the display, e.g. otherapplications running in parallel, user control of the terminal, etc.,the user can not be sure whether the display of the document to besigned and the inquiry for the signature-PIN are authentic, i.e.actually come from the signing device.

[0005] Basically, the user can not recognize from whom the data shown onthe display of the terminal comes. The applications, in particular forWAP (WML-decks), are usually anonymous, i.e. are not checked andcertified by the network operator or another authority. Thus, forexample, it is possible for foreign applications to put thesignature-dialogue after the signing device, in order to get to theuser's signature-PIN.

[0006] The purpose of the invention is to provide a process andarrangement for securing a man-machine dialogue that makes it possiblefor the user to safely identify and control the source of the displayinformation and/or to be able to control the passing on of inputinformation in accordance with specifications.

[0007] This purpose is achieved by the characteristics of theindependent patent claims.

[0008] The invention is based on that fact that the input channelsand/or the output channels of the terminal, together or separately, canbe switched selectively using a switching device in such a way that theyare available exclusively to one specific application.

[0009] In this way, it can be ensured according to the invention, that

[0010] 1) the tasks of a terminal, i.e. the data and text shown on thedisplay

[0011] come from a source that is known to and trusted by the userand/or

[0012] the information source is shown to the user reliably by theterminal and/or

[0013] the user can identify the source himself and

[0014] 2) the entries on the terminal (e.g. for authentification of theuser with regard to a signing device, e.g. using signature-PIN (keypad),finger print (sensor), speech input (speech analysis module)

[0015] are only passed on to a trusted destination that can be specifiedby the user and/or

[0016] are only passed on to a destination that is reliably shown by theterminal

[0017] It is also possible by the invention to ensure that a user has adialogue, e.g. a signature-dialogue, exclusively with one specificapplication, e.g. a signing device. In other words, the user can becertain that the data shown on the display comes from the signing deviceand that his entries are passed on exclusively to the signing device.

[0018] Advantageous embodiments and additional constructions of theinvention are given in the dependent patent claims.

[0019] According to the invention it is possible that differentapplications can each be exclusively coupled alternatively to theinput/output channels. In other words, the user can selectively exactlyallocate the input/output channels of the terminal exclusively to oneapplication at a time.

[0020] The switching over of the input/output channels to an applicationcan be done mechanically, electronically or using software. Theswitching device contains for this purpose preferably a mechanical,electronic or software-controlled switch.

[0021] In a preferred embodiment form, the switching over to a specificapplication is activated by a defined button on the terminal or an inputcode. For example, a special button can be allocated to each applicationthat can be selected by the user.

[0022] In the case of the use of a button, the switching over is done bythe user. The switching can also be initiated automatically, however, bythe terminal and by special signals or commands.

[0023] In a preferred embodiment of the invention, the switching over toa specific application is shown to the user in an unambiguous manner byan optical and/or acoustic signal. If a choice can be made to switchbetween several applications, then a separate optical or acoustic signalwill be preferably assigned to each application.

[0024] The associated application can be started at the same time as theswitching over of the input/output channels.

[0025] To additionally increase the security for the user, it isprovided that the source of the data of the output channel can beidentified by a secret code agreed between the source and the user. Eachtime the data is displayed on the display of the terminal, the secretcode is simultaneously displayed for authentification of the source.

[0026] The applications that can be executed can be contained in a chipcard that can be used in the terminal or in the terminal itself.

[0027] In the following, the invention is explained in greater detail byan embodiment example using a drawing. Additional characteristics,advantages and applications of the invention can be ascertained from thedrawing and its description.

[0028]FIG. 1 shows schematically a terminal 1 for performing a digitalsignature dialogue as one of several available applications. Theterminal 1 contains an input and output part 2 with a keypad 4 and adisplay 3 and a function and application part 7 which contains severalapplications 8, 9, 10. Furthermore, the terminal I contains a switchingdevice 11, by which a choice can be made to switch the input and outputunits 3, 4 exclusively to one of the applications 8, 9, 10. The inputand output part 2 and the function and application part 7 are usuallyhoused in a common housing (not shown).

[0029] In the following, the arrangement and the process are explainedby the example of the digital signature, whereby the signing device 10inside the terminal 1 is both source and destination of the data of thesignature dialogue. The signing device 10 can also be contained on achip card (not shown) to be used with the terminal.

[0030] The signature dialogue between the user of the terminal 1 and thesigning device 10 can consist of the following steps:

[0031] At first, the document to be signed, which is transmitted from arequesting external location, is displayed to the user on the display 3of the terminal 1 in some manner, either directly as text or as areference to a text or as an icon and/or image.

[0032] Then, the user is prompted to confirm or reject the text.

[0033] For this purpose, the user is prompted to authenticate himself tothe signing device 10, e.g. by entering a signature PIN by the keypad 4.After that, the signing device 10 checks the input signature PIN, signsthe document, if necessary saves the signature and initiates the sendingof the signature to the requesting location.

[0034] It is possible to record the signature dialogue in the signingdevice 10 or in the terminal 1, and to save the documents and signaturesfor possible later verification procedures.

[0035] According to the invention, the input/output channels, i.e. thekeypad 4 and the display 3 of the terminal 1 of the signing device 10are made available exclusively in that the directly switched connection(signing switch) is made between input/output channels 3, 4 and thesigning device 10, whereby the switch position can be recognized by theuser. For this purpose, the terminal contains a switching device 11,which provides that only one application, here the signing device 10,can communicate exclusively with the user via the input/output channels3, 4 of the terminal 1.

[0036] In a preferred embodiment form, the activation of the switch-overinto the signing position is achieved by the input of a keypad code, andin the simplest case, by the activation of a special signing button 5(signature button) on the terminal 1, whereby the activation of thebutton 5 controls the switching device 11. After the activation of thesignature button 5, keypad 4 and display 3 of the terminal 1 areallocated fixed and exclusively to the signing device 10, i.e. eachinput goes via the keypad 4 to the signing device 10 and each display onthe display 3 comes from the signing device IO. This is shown in thedrawing by the assignment arrow.

[0037] Instead of a manual switch-over, the switch to the signingposition can also be initiated automatically by the terminal 1.

[0038] For the technical implementation of the switch-over on theterminal 1, different embodiment forms are possible. In the simplestcase, the switching device 11 is a switch, which for example, isconnected galvanically, electronically, or via software. In each case,the user must be safe in correspondingly implementing the switch-overthat is visible to him in the terminal 1.

[0039] An additional component of the invention is that the exclusiveallocation of the input/output channels, i.e. of the keypad 4 anddisplay 3 to the signing device 10, is shown to the user opticallyand/or acoustically by a special signature signal 12 used exclusivelyfor this allocation. This signature signal is in the simplest case theswitch position of a mechanical throw-over switch. It could also be in afunctional way an illumination or a blinking of the signature button ora display element of the display 3.

[0040] An additional component of the invention is the possibility forthe user to identify the source of the data of the output channel insuch a manner that between the source and the user a secret code signal6 is agreed, which, for example, appears displayed each time on thedisplay 3. An agreed secret code between the user and signing devicecan, for example, be the sequence of characters 1F7D. During theprompting for the input of the signature-PIN, the following appears onthe display: “Please confirm the signing procedure by entering yoursignature-PIN. Auth: 1F7D

[0041] The user recognizes by the authentification code 1F7D that thedata comes from the signing device.

Drawing Key

[0042]1 Terminal

[0043]2 Input/output part

[0044]3 Display

[0045]4 Keypad

[0046]5 Signature button

[0047]6 Code signal

[0048]7 Function/application part

[0049]8 First application

[0050]9 Second application

[0051]10 Signing device (third application)

[0052]11 Switching device

[0053]12 Signature signal

1. Process for securing a man-machine dialogue between a user and atleast one application, which may be executed on a terminal, whereby acommunication between user and application is achieved by means of inputchannels and output channels on the terminal, characterized in that, theinput channels (4) and/or the output channels (3) of the terminal (1),together or separately, may be optionally switched such that they areonly available to one particular application (8; 9; 10).
 2. Processaccording to claim 1, characterized in that the different applications(8; 9; 10) can each be alternatively exclusively coupled to theinput/output channels (3, 4).
 3. Process according to one or more of theprevious claims, characterized in that the input / output channels (3,4) are only allocated exclusively to one application (8; 9; 10) at atime.
 4. Process according to one or more of the previous claims,characterized in that the switching is done mechanically,electronically, or using software.
 5. Process according to one or moreof the previous claims, characterized in that the switching over can beactivated by a defined button (5) on the terminal (1) or an input code.6. Process according to one or more of the previous claims,characterized in that the switching is done manually by the user orautomatically by the terminal (1).
 7. Process according to one or moreof the previous claims, characterized in that the switching to aspecific application (8; 9; 10) is displayed to the user in anunambiguous manner by an optical and/or acoustic signal (12).
 8. Processaccording to one or more of the previous claims, characterized in that aspecific application (8; 9; 10) is started simultaneously with theswitching.
 9. Process according to one or more of the previous claims,characterized in that the application (10) is a signing procedure thatis itself present in a chip card that can be used with the terminal orin the terminal itself (1).
 10. Process according to one or more of theprevious claims, characterized in that the source of the data of theoutput channel (3) can be identified by a secret code (6) agreed betweenthe source and the user.
 11. Process according to one or more of theprevious claims, characterized in that the secret code (6) appears onthe display (3) every time the data of the source is displayed. 12.Arrangement for securing a man-machine dialogue containing a terminalwith input channels and output channels and at least one applicationthat can be executed on the terminal and that communicates, for thedialogue with the user, by means of the input channels and outputchannels, characterized in that, the terminal (I) contains a switchingdevice (11), by which the input channels (4) and/or the output channels(3) of the terminal, together or separately, may be optionally switchedsuch that they are only available to one particular application (8; 9;10).
 13. Arrangement according to claim 12, characterized in that theswitching device (11) contains a mechanical, electronic, orsoftware-controlled switch.
 14. Arrangement according to one of theclaims 12 or 13, characterized in that the input channels (4) and outputchannels (3) are comprised of a keypad and a display of the terminal.15. Arrangement according to one or more of the claims 12 to 14,characterized in that the application (10) is a signing device. 16.Arrangement according to one or more of the claims 12 to 15,characterized in that the signing device (10) is contained in theterminal (1) or a chip card that can be used with the terminal.